Commit dd6b25de authored by Arturo Borrero Gonzalez's avatar Arturo Borrero Gonzalez
Browse files

Merge tag 'upstream/1.6.0+snapshot20161117'

Upstream version 1.6.0+snapshot20161117
parents 8fceaf37 7b095084
......@@ -8,7 +8,7 @@
* September, 2003
*
* Translated to use libxtables for ebtables-compat in 2015 by
* Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* Arturo Borrero Gonzalez <arturo@debian.org>
*/
#include <stdio.h>
......
......@@ -5,7 +5,7 @@
*
* July, 2002, September 2006
*
* Adapted by Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* Adapted by Arturo Borrero Gonzalez <arturo@debian.org>
* to use libxtables for ebtables-compat in 2015.
*/
......
......@@ -5,7 +5,7 @@
*
* July, 2002
*
* Adapted by Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* Adapted by Arturo Borrero Gonzalez <arturo@debian.org>
* to use libxtables for ebtables-compat in 2015.
*/
......
......@@ -10,7 +10,7 @@
* libxt_NFLOG.c
*
* Adapted to libxtables for ebtables-compat in 2015 by
* Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* Arturo Borrero Gonzalez <arturo@debian.org>
*/
#include <stdio.h>
......
......@@ -231,6 +231,56 @@ static void DNAT_save(const void *ip, const struct xt_entry_target *target)
printf(" --persistent");
}
static void print_range_xlate(const struct nf_nat_range *range,
struct xt_xlate *xl)
{
bool proto_specified = range->flags & NF_NAT_RANGE_PROTO_SPECIFIED;
if (range->flags & NF_NAT_RANGE_MAP_IPS) {
xt_xlate_add(xl, "%s%s%s",
proto_specified ? "[" : "",
xtables_ip6addr_to_numeric(&range->min_addr.in6),
proto_specified ? "]" : "");
if (memcmp(&range->min_addr, &range->max_addr,
sizeof(range->min_addr))) {
xt_xlate_add(xl, "-%s%s%s",
proto_specified ? "[" : "",
xtables_ip6addr_to_numeric(&range->max_addr.in6),
proto_specified ? "]" : "");
}
}
if (proto_specified) {
xt_xlate_add(xl, ":%hu", ntohs(range->min_proto.tcp.port));
if (range->max_proto.tcp.port != range->min_proto.tcp.port)
xt_xlate_add(xl, "-%hu",
ntohs(range->max_proto.tcp.port));
}
}
static int DNAT_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct nf_nat_range *range = (const void *)params->target->data;
bool sep_need = false;
const char *sep = " ";
xt_xlate_add(xl, "dnat to ");
print_range_xlate(range, xl);
if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) {
xt_xlate_add(xl, " random");
sep_need = true;
}
if (range->flags & NF_NAT_RANGE_PERSISTENT) {
if (sep_need)
sep = ",";
xt_xlate_add(xl, "%spersistent", sep);
}
return 1;
}
static struct xtables_target snat_tg_reg = {
.name = "DNAT",
.version = XTABLES_VERSION,
......@@ -244,6 +294,7 @@ static struct xtables_target snat_tg_reg = {
.print = DNAT_print,
.save = DNAT_save,
.x6_options = DNAT_opts,
.xlate = DNAT_xlate,
};
void _init(void)
......
:PREROUTING
*nat
-j DNAT --to-destination dead::beef;=;OK
-j DNAT --to-destination dead::beef-dead::fee7;=;OK
-p tcp -j DNAT --to-destination [dead::beef]:1025-65535;=;OK
-p tcp -j DNAT --to-destination [dead::beef-dead::fee7]:1025-65535;=;OK
-p tcp -j DNAT --to-destination [dead::beef-dead::fee7]:1025-65536;;FAIL
-j DNAT;;FAIL
:PREROUTING
*mangle
-j DNPT --src-pfx dead::/64 --dst-pfx 1c3::/64;=;OK
-j DNPT --src-pfx dead::beef --dst-pfx 1c3::/64;;FAIL
-j DNPT --src-pfx dead::/64;;FAIL
-j DNPT --dst-pfx dead::/64;;FAIL
-j DNPT;;FAIL
:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
*mangle
-j HL --hl-set 42;=;OK
-j HL --hl-inc 1;=;OK
-j HL --hl-dec 1;=;OK
-j HL --hl-set 256;;FAIL
-j HL --hl-inc 0;;FAIL
-j HL --hl-dec 0;;FAIL
-j HL --hl-dec 1 --hl-inc 1;;FAIL
-j HL --hl-set --hl-inc 1;;FAIL
......@@ -63,6 +63,11 @@ struct ip6t_log_names {
unsigned int level;
};
struct ip6t_log_xlate {
const char *name;
unsigned int level;
};
static const struct ip6t_log_names ip6t_log_names[]
= { { .name = "alert", .level = LOG_ALERT },
{ .name = "crit", .level = LOG_CRIT },
......@@ -166,6 +171,42 @@ static void LOG_save(const void *ip, const struct xt_entry_target *target)
printf(" --log-macdecode");
}
static const struct ip6t_log_xlate ip6t_log_xlate_names[] = {
{"alert", LOG_ALERT },
{"crit", LOG_CRIT },
{"debug", LOG_DEBUG },
{"emerg", LOG_EMERG },
{"err", LOG_ERR },
{"info", LOG_INFO },
{"notice", LOG_NOTICE },
{"warn", LOG_WARNING }
};
static int LOG_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct ip6t_log_info *loginfo =
(const struct ip6t_log_info *)params->target->data;
unsigned int i = 0;
xt_xlate_add(xl, "log ");
if (strcmp(loginfo->prefix, "") != 0) {
if (params->escape_quotes)
xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix);
else
xt_xlate_add(xl, "prefix \"%s\" ", loginfo->prefix);
}
for (i = 0; i < ARRAY_SIZE(ip6t_log_xlate_names); ++i)
if (loginfo->level == ip6t_log_xlate_names[i].level &&
loginfo->level != LOG_DEFAULT_LEVEL) {
xt_xlate_add(xl, "level %s",
ip6t_log_xlate_names[i].name);
break;
}
return 1;
}
static struct xtables_target log_tg6_reg = {
.name = "LOG",
.version = XTABLES_VERSION,
......@@ -178,6 +219,7 @@ static struct xtables_target log_tg6_reg = {
.save = LOG_save,
.x6_parse = LOG_parse,
.x6_options = LOG_opts,
.xlate = LOG_xlate,
};
void _init(void)
......
:INPUT,FORWARD,OUTPUT
-j LOG;-j LOG;OK
-j LOG --log-prefix "test: ";=;OK
-j LOG --log-prefix "test: " --log-level 1;=;OK
# iptables displays the log-level output using the number; not the string
-j LOG --log-prefix "test: " --log-level alert;-j LOG --log-prefix "test: " --log-level 1;OK
-j LOG --log-prefix "test: " --log-tcp-sequence;=;OK
-j LOG --log-prefix "test: " --log-tcp-options;=;OK
-j LOG --log-prefix "test: " --log-ip-options;=;OK
-j LOG --log-prefix "test: " --log-uid;=;OK
-j LOG --log-prefix "test: " --log-level bad;;FAIL
-j LOG --log-prefix;;FAIL
......@@ -131,6 +131,26 @@ MASQUERADE_save(const void *ip, const struct xt_entry_target *target)
printf(" --random");
}
static int MASQUERADE_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct nf_nat_range *r = (const void *)params->target->data;
xt_xlate_add(xl, "masquerade");
if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
xt_xlate_add(xl, " to :%hu", ntohs(r->min_proto.tcp.port));
if (r->max_proto.tcp.port != r->min_proto.tcp.port)
xt_xlate_add(xl, "-%hu", ntohs(r->max_proto.tcp.port));
}
xt_xlate_add(xl, " ");
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
xt_xlate_add(xl, "random ");
return 1;
}
static struct xtables_target masquerade_tg_reg = {
.name = "MASQUERADE",
.version = XTABLES_VERSION,
......@@ -142,6 +162,7 @@ static struct xtables_target masquerade_tg_reg = {
.print = MASQUERADE_print,
.save = MASQUERADE_save,
.x6_options = MASQUERADE_opts,
.xlate = MASQUERADE_xlate,
};
void _init(void)
......
:POSTROUTING
*nat
-j MASQUERADE;=;OK
-j MASQUERADE --random;=;OK
-p tcp -j MASQUERADE --to-ports 1024;=;OK
-p udp -j MASQUERADE --to-ports 1024-65535;=;OK
-p udp -j MASQUERADE --to-ports 1024-65536;;FAIL
-p udp -j MASQUERADE --to-ports -1;;FAIL
......@@ -49,8 +49,8 @@ static void NETMAP_parse(struct xt_option_call *cb)
}
}
static void NETMAP_print(const void *ip, const struct xt_entry_target *target,
int numeric)
static void __NETMAP_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
const struct nf_nat_range *r = (const void *)target->data;
struct in6_addr a;
......@@ -68,10 +68,17 @@ static void NETMAP_print(const void *ip, const struct xt_entry_target *target,
printf("/%d", bits);
}
static void NETMAP_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
printf(" to:");
__NETMAP_print(ip, target, numeric);
}
static void NETMAP_save(const void *ip, const struct xt_entry_target *target)
{
printf(" --%s ", NETMAP_opts[0].name);
NETMAP_print(ip, target, 0);
__NETMAP_print(ip, target, 0);
}
static struct xtables_target netmap_tg_reg = {
......
:PREROUTING,INPUT,OUTPUT,POSTROUTING
*nat
-j NETMAP --to dead::/64;=;OK
-j NETMAP --to dead::beef;=;OK
......@@ -132,6 +132,24 @@ static void REDIRECT_save(const void *ip, const struct xt_entry_target *target)
}
}
static int REDIRECT_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct nf_nat_range *range = (const void *)params->target->data;
if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
xt_xlate_add(xl, "redirect to :%hu",
ntohs(range->min_proto.tcp.port));
if (range->max_proto.tcp.port != range->min_proto.tcp.port)
xt_xlate_add(xl, "-%hu ",
ntohs(range->max_proto.tcp.port));
if (range->flags & NF_NAT_RANGE_PROTO_RANDOM)
xt_xlate_add(xl, " random ");
}
return 1;
}
static struct xtables_target redirect_tg_reg = {
.name = "REDIRECT",
.version = XTABLES_VERSION,
......@@ -143,6 +161,7 @@ static struct xtables_target redirect_tg_reg = {
.print = REDIRECT_print,
.save = REDIRECT_save,
.x6_options = REDIRECT_opts,
.xlate = REDIRECT_xlate,
};
void _init(void)
......
:PREROUTING,OUTPUT
*nat
-p tcp -j REDIRECT --to-ports 42;=;OK
-p udp -j REDIRECT --to-ports 42-1234;=;OK
-p tcp -j REDIRECT --to-ports 42-1234 --random;=;OK
-j REDIRECT --to-ports 42;;FAIL
......@@ -17,6 +17,11 @@ struct reject_names {
const char *desc;
};
struct reject_names_xlate {
const char *name;
enum ip6t_reject_with with;
};
enum {
O_REJECT_WITH = 0,
};
......@@ -124,6 +129,38 @@ static void REJECT_save(const void *ip, const struct xt_entry_target *target)
printf(" --reject-with %s", reject_table[i].name);
}
static const struct reject_names_xlate reject_table_xlate[] = {
{"no-route", IP6T_ICMP6_NO_ROUTE},
{"admin-prohibited", IP6T_ICMP6_ADM_PROHIBITED},
{"addr-unreachable", IP6T_ICMP6_ADDR_UNREACH},
{"port-unreachable", IP6T_ICMP6_PORT_UNREACH},
{"tcp reset", IP6T_TCP_RESET},
{"policy-fail", IP6T_ICMP6_POLICY_FAIL},
{"reject-route", IP6T_ICMP6_REJECT_ROUTE}
};
static int REJECT_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct ip6t_reject_info *reject =
(const struct ip6t_reject_info *)params->target->data;
unsigned int i;
for (i = 0; i < ARRAY_SIZE(reject_table_xlate); ++i)
if (reject_table_xlate[i].with == reject->with)
break;
if (reject->with == IP6T_ICMP6_PORT_UNREACH)
xt_xlate_add(xl, "reject");
else if (reject->with == IP6T_TCP_RESET)
xt_xlate_add(xl, "reject with %s", reject_table_xlate[i].name);
else
xt_xlate_add(xl, "reject with icmpv6 type %s",
reject_table_xlate[i].name);
return 1;
}
static struct xtables_target reject_tg6_reg = {
.name = "REJECT",
.version = XTABLES_VERSION,
......@@ -136,6 +173,7 @@ static struct xtables_target reject_tg6_reg = {
.save = REJECT_save,
.x6_parse = REJECT_parse,
.x6_options = REJECT_opts,
.xlate = REJECT_xlate,
};
void _init(void)
......
:INPUT,FORWARD,OUTPUT
-j REJECT;=;OK
# manpage for IPv6 variant of REJECT does not show up for some reason?
-j REJECT --reject-with icmp6-no-route;=;OK
-j REJECT --reject-with icmp6-adm-prohibited;=;OK
-j REJECT --reject-with icmp6-addr-unreachable;=;OK
-j REJECT --reject-with icmp6-port-unreachable;=;OK
-j REJECT --reject-with icmp6-policy-fail;=;OK
-j REJECT --reject-with icmp6-reject-route;=;OK
-p tcp -j REJECT --reject-with tcp-reset;=;OK
-j REJECT --reject-with tcp-reset;;FAIL
......@@ -241,6 +241,62 @@ static void SNAT_save(const void *ip, const struct xt_entry_target *target)
printf(" --persistent");
}
static void print_range_xlate(const struct nf_nat_range *range,
struct xt_xlate *xl)
{
bool proto_specified = range->flags & NF_NAT_RANGE_PROTO_SPECIFIED;
if (range->flags & NF_NAT_RANGE_MAP_IPS) {
xt_xlate_add(xl, "%s%s%s",
proto_specified ? "[" : "",
xtables_ip6addr_to_numeric(&range->min_addr.in6),
proto_specified ? "]" : "");
if (memcmp(&range->min_addr, &range->max_addr,
sizeof(range->min_addr))) {
xt_xlate_add(xl, "-%s%s%s",
proto_specified ? "[" : "",
xtables_ip6addr_to_numeric(&range->max_addr.in6),
proto_specified ? "]" : "");
}
}
if (proto_specified) {
xt_xlate_add(xl, ":%hu", ntohs(range->min_proto.tcp.port));
if (range->max_proto.tcp.port != range->min_proto.tcp.port)
xt_xlate_add(xl, "-%hu",
ntohs(range->max_proto.tcp.port));
}
}
static int SNAT_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct nf_nat_range *range = (const void *)params->target->data;
bool sep_need = false;
const char *sep = " ";
xt_xlate_add(xl, "snat to ");
print_range_xlate(range, xl);
if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) {
xt_xlate_add(xl, " random");
sep_need = true;
}
if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) {
if (sep_need)
sep = ",";
xt_xlate_add(xl, "%sfully-random", sep);
sep_need = true;
}
if (range->flags & NF_NAT_RANGE_PERSISTENT) {
if (sep_need)
sep = ",";
xt_xlate_add(xl, "%spersistent", sep);
}
return 1;
}
static struct xtables_target snat_tg_reg = {
.name = "SNAT",
.version = XTABLES_VERSION,
......@@ -254,6 +310,7 @@ static struct xtables_target snat_tg_reg = {
.print = SNAT_print,
.save = SNAT_save,
.x6_options = SNAT_opts,
.xlate = SNAT_xlate,
};
void _init(void)
......
:POSTROUTING
*nat
-j SNAT --to-source dead::beef;=;OK
-j SNAT --to-source dead::beef-dead::fee7;=;OK
-p tcp -j SNAT --to-source [dead::beef]:1025-65535;=;OK
-p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65535;=;OK
-p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65536;;FAIL
-j SNAT;;FAIL
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment